Completely remove Jitter CPU from library artifact if not enabled (#1249

)

Previously, we disabled jitter cpu by default; instead enabling the passive strategy by default. This is a build-time configuration. That is, if jitter cpu is not explicitly enabled, jitter cpu is not used as the source in FIPS mode and is redundant.

Remove it completely now.

CMakeLists.txt

@@ -33,6 +33,7 @@ if(FIPS)
 
   if(ENABLE_FIPS_ENTROPY_CPU_JITTER)
     add_definitions(-DFIPS_ENTROPY_SOURCE_JITTER_CPU)
+    add_subdirectory(third_party/jitterentropy)
     message(STATUS "FIPS entropy source method configured: CPU Jitter")
   else()
     add_definitions(-DFIPS_ENTROPY_SOURCE_PASSIVE)
@@ -647,8 +648,6 @@ if(FIPS)
     message(FATAL_ERROR "Windows Debug build is not supported with FIPS, use Release or RelWithDebInfo")
   endif()
 
-  add_subdirectory(third_party/jitterentropy)
-
   add_definitions(-DBORINGSSL_FIPS)
   if(FIPS_BREAK_TEST)
     add_definitions("-DBORINGSSL_FIPS_BREAK_${FIPS_BREAK_TEST}=1")

crypto/CMakeLists.txt

@@ -532,7 +532,9 @@ target_include_directories(crypto_objects BEFORE PRIVATE ${PROJECT_BINARY_DIR}/s
 target_include_directories(crypto_objects PRIVATE ${PROJECT_SOURCE_DIR}/include)
 
 function(build_libcrypto name module_source)
-  if(FIPS)
+  if(FIPS AND ENABLE_FIPS_ENTROPY_CPU_JITTER)
+    # If the jitter cpu entropy source is enabled add an object dependency to
+    # the libcrypto target.
     add_library(${name} $<TARGET_OBJECTS:crypto_objects> ${CRYPTO_FIPS_OBJECTS} ${module_source} $<TARGET_OBJECTS:jitterentropy>)
   else()
     add_library(${name} $<TARGET_OBJECTS:crypto_objects> ${CRYPTO_FIPS_OBJECTS} ${module_source})
@@ -679,13 +681,6 @@ if(BUILD_TESTING)
     fipsmodule/rand/urandom_test.cc
   )
 
-  # When using CPU Jitter as the entropy source (only in FIPS build)
-  # urandom_test should not be performed so we pass the compilation flag
-  # and handle it in urandom_test.cc
-  if(JITTER_ENTROPY)
-    target_compile_options(${RANDOM_TEST_EXEC} PUBLIC -DJITTER_ENTROPY)
-  endif()
-
   add_dependencies(${RANDOM_TEST_EXEC} boringssl_prefix_symbols)
   target_link_libraries(${RANDOM_TEST_EXEC} test_support_lib boringssl_gtest crypto)
   target_include_directories(${RANDOM_TEST_EXEC} BEFORE PRIVATE ${PROJECT_BINARY_DIR}/symbol_prefix_include)

crypto/fipsmodule/bcm.c

@@ -235,10 +235,12 @@ static void BORINGSSL_bcm_power_on_self_test(void) {
   OPENSSL_cpuid_setup();
 #endif
 
+#if defined(FIPS_ENTROPY_SOURCE_JITTER_CPU)
   if (jent_entropy_init()) {
     fprintf(stderr, "CPU Jitter entropy RNG initialization failed.\n");
     goto err;
   }
+#endif
 
 #if !defined(OPENSSL_ASAN)
   // Integrity tests cannot run under ASAN because it involves reading the full

crypto/fipsmodule/rand/cpu_jitter_test.cc

@@ -1,7 +1,7 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0 OR ISC
 
-#if defined(BORINGSSL_FIPS)
+#if defined(BORINGSSL_FIPS) && defined(FIPS_ENTROPY_SOURCE_JITTER_CPU)
 
 #include <gtest/gtest.h>
 

tool/speed.cc

@@ -2252,6 +2252,7 @@ static bool SpeedSelfTest(const std::string &selected) {
   return true;
 }
 
+#if defined(FIPS_ENTROPY_SOURCE_JITTER_CPU)
 static bool SpeedJitter(size_t chunk_size) {
   struct rand_data *jitter_ec = jent_entropy_collector_alloc(0, JENT_FORCE_FIPS);
 
@@ -2288,6 +2289,7 @@ static bool SpeedJitter(std::string selected) {
   return true;
 }
 #endif
+#endif
 
 static bool SpeedDHcheck(size_t prime_bit_length) {
 
@@ -2682,10 +2684,14 @@ bool Speed(const std::vector<std::string> &args) {
     }
 
 #if defined(AWSLC_FIPS)
-    if (!SpeedSelfTest(selected) ||
-        !SpeedJitter(selected)) {
+    if (!SpeedSelfTest(selected)) {
+      return false;
+    }
+#if defined(FIPS_ENTROPY_SOURCE_JITTER_CPU)
+    if (!SpeedJitter(selected)) {
       return false;
     }
+#endif
 #endif
   }